Re: When IT Manager breaks rules

["Cam Fischer" <camfischer () gmail com>]

Hi!

We use a process where HR keys in the data (into Oracle), once Oracle
has the data, we have an automated process that comes along and
automatically creates the account (based on the Oracle data).

You are in a tough position. In this case, it is important to have the
"tone at the top" consistent, and ensure it backs up the internal
processes.

If you fall into the SOX umbrealla, you may have more to go on, as the
account creation process is very tightly monitored (we just finished
another SOX audit, and the auditors spent a lot of time in that area).

You could also write a quick VB script that monitored the accounts,
and automatically alerted HR / and yourself when a new account was
created (as a double check).


.... Cam

On 5/16/07, WALI <hkhasgiwale () gmail com> wrote:
> Hi guys...an odd question here!! I am mad at my IT Manager, he is such a
> sissy!!
>
> Being a internal security analyst in-charge, I want to enforce a few
> policies at help desk. One of them is, not to create any user account
> unless an email arrives from HR to HelpDesk, informing of the user's badge
> ID, the department he/she belongs to. The status of employment and all
> those things. The procedures are in place but sometimes it so happens that
> some Head of the Dept. or executive management calls up our IT Manager over
> the phone, or send him an email directly which is then forwarded to our
> Help Desk incharge who is then left with little options but to create the
> account without due processes. All policy compliance guidelines get thrown
> up in the air.
>
> HelpDesk incharge is bound by his position to, not to defy IT manager and
> he is scared to tell me (sometimes he does) that IT manager is forcing him
> to dilute the AD account creation policy.
>
> I don't want to confront IT manager based upon inputs by Helpdesk guys but
> would rather put a mechanism in place, where I would automatically come to
> know, that an account has been created and I can ask helpdesk to provide
> proof of the email from HR arbitrarily and then confront the manager.
>
> I know some Audit trails can be put and they would appear under Security
> tab of Event manager ( or so I guess) but I need something more automated
> that would land in my mailbox.
>
> Is this possible through any automated solution in AD of Windows 2003?
> Probably MOM 2005 or the types?
> In case I chose to confront  HR Admin/ managers with a plea to stop sending
> such requests to our IT Manager and put their house in order, what all
> genuine risks of 'not doing so' can I highlight? Ours is fairly large
> corporation employing about a 1000 people.